To join a computer to the Windows domain (UMROOT), you must either be personally authorized to do so or possess the credentials of another authorized account. When pre-staging the Windows computer object, it is a best practice to specify a Windows security group containing some number of Windows accounts that are authorized to create computer objects within the delegated OU instead of one individual account. If you need to create a security group for this purpose, please read the Naming Standards for the U-M Windows Forest section when choosing a name for the security group.
Before pre-staging computer objects, you will need to know the name(s) to give them. The "Computer Name" and "Pre-Windows 2000 Computer Name" entries for your computer objects need to be unique within the Windows domain. The U-M standard for creating a Windows computer name specifies that each organization must prefix their computer names with a unique string of two or more characters, followed by a dash.
Typically, a U-M organization will choose a computer prefix when joining the forest. To find existing prefixes or search for a department's prefix, see U-M Windows Organizational Prefixes. Prefixes are handed out on a "first-come, first-served" basis. Please refer to the U-M Windows naming standards page for more information on naming standards in Active Directory at U-M. For assistance with prefixes or naming, contact the ITS Service Center.
Administrators of Orgnanizational Units (OUs) must "pre-allocate" computer objects within their OU before attempting to join that computer to the UMROOT domain.
Pre-staging computers by creating a computer object is a process and can be accomplished either via the "Users and Computers" snap-in or programmatically via an Active Directory Service Interface (ADSI) script. The Users and Computers tool is included in the Remote Server Administration Tools (RSAT) from Microsoft.
Using the Users and Computers tool:
- Right-click within your OU for a context menu, then choose New > Computer.
- In the New Object - Computer dialog box, fill in the appropriate information:
- Computer Name
- Computer Name (pre-Windows 2000)
- User or Group
- Check-box to allow "pre-Windows 2000" clients to join the Windows domain